- Plex suffered a data breach exposing emails, usernames, and hashed passwords
- Users are urged to change passwords and enable two-factor authentication
- A separate vulnerability in Plex Media Server was patched in August
Popular media server and streaming platform, Plex, warned its users about losing their sensitive data in a cyberattack, and urged them to update their passwords as a result.
In a forum post published on September 8, Plex said it recently experienced a security incident with “limited impact”, when an unauthorized third party accessed a subset of customer data.
“While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data,” the post reads. Credit card or other payment data was not accessed since it wasn’t even stored on company servers.
Hashed passwords are unreadable
The passwords were hashed “in accordance with best practices,” Plex further stated, explaining that the hackers cannot read them. Still, to be on the safe side, the company recommends users log out of all sessions, and change all passwords. It also stresses that it will never reach out via email to ask for a password or credit card number, hinting that the miscreants might start sending phishing attacks to the email accounts they obtained in the attack.
“For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.”
As a media server and streaming platform, Plex lets users collect, organize, and stream personal media such as movies, TV shows, music, photos, and more on almost any device. It is quite popular, with some sources claiming it has more than 25 million active users.
In mid-August this year, Plex said it patched a mysterious vulnerability affecting its Plex Media Server product, and has told users to not to delay applying the fix. The company received a report via its bounty program about a potential security issue affecting Plex Media Server versions 1.41.7.x to 1.42.0.x and soon after, came forward with a patch.
Via BleepingComputer